Ontario's privacy commissioner talks about Facebook and privacy at Mesh

Ann Cavoukian wants Facebook Inc. to set its defaults to private and provide a simple set of instructions for how users can protect their privacy.

Speaking on a panel discussion about privacy and Facebook at the Mesh Conference in Toronto, Ontario's privacy commissioner recalled her early work with Facebook's former chief privacy officer Chris Kelly when the social networking site was just starting to circulate among the college crowd.

"In the past, I think they had an interest in portraying to their users that you could restrict the amount of information you wanted to disclose ... it's a different world now," she said.

Cavoukian's office has been flooded with concerns ever since Facebook overhauled its privacy settings in December 2009. "What upset people dramatically, myself included, was when the settings were changed," she said.

The default settings are now set to public, she said. "That's my problem right now. I don't want the default to be public -- everybody gets to see everything unless I go in and 'un-default' it," she said.

A New York Times article recently charted out Facebook's privacy settings and found 50 settings and over 170 options for managing privacy, she said. The chart also points out that at 5,830 words, Facebook's privacy policy is longer than the 4,543-word count of the United States Constitution.

Another problem is that it is just too complicated, said Cavoukian. People don't have time to read privacy policies that are longer than the U.S. Constitution, she said.

Cavoukian advocates the use of "short notices," a concept developed by the privacy commissioner's office several years ago that simplifies and condenses privacy policies for end users.

"That would be my message to Facebook -- simplify what you are offering. Explain to people, in very simple terms, how you can protect your privacy if you want to," she said.

Cavoukian said she wouldn't give up on Facebook doing the right thing in the end. "They don't have a chief privacy officer right now, so I think one of the reasons it's sort of just floating out there is they don't have the right people manning the ship anymore -- that can change," she said.

But end users also have a role to play, according to Cavoukian. "You don't like people using information in that way, walk away ... you have to demonstrate that and enough people don't do that and it's your problem as much as it's our problem," she said.

The bottom line is going to be whether Facebook's user base drops, she said. "Imagine if overnight, 100 million users walk away from Facebook and go to Diaspora or something else that is more protective of their privacy," she said.

Diaspora, an open source social network under development by four New York University (NYU) students, engrains privacy by default into their business model, she said. "If it was me and I was on one of these services, I would probably go to Diaspora than Facebook," she said.

Cavoukian said she isn't suggesting "taking down" Facebook. "What I'm saying is if you don't like the service you are being provided, go somewhere where you can get that service. And if enough people feel that way, it will change," she said.

Canadian privacy lawyer David Fraser, a partner with McInnes Cooper and author of theCanadian Privacy Law Blog, agreed with Cavoukian that users can incite change. If all the people changing their Facebook statuses to complain about Facebook and privacy would leave, that would be a very loud message, he said.

But Fraser, a Facebook user himself, said he would find it difficult to give up his account because of the benefits it provides.

"There is the dilemma," said Cavoukian. "You can't expect regulators to fix that problem."

The challenge is finding a way to give people that level of control over their information in away that they can actually handle, said Fraser. "In terms of granularity on Facebook, you can display it as a mess ... but on the flip side, you can look at it as a marvelous piece, at least an attempt to get there," he said.

Cavoukian doesn't have a Facebook account, but said she did experiment with the social networking site last summer. "We were asked by the University of Ottawa, four commissioners, to all Facebook over the summer and see what the experience was like," she told ComputerWorld Canada in an interview after the panel discussion.

"It was a lot of fun," she said. Cavoukian cancelled the account because she didn't have the time to maintain it. "It took up so much of my time ... it was too much and I just stopped using it," she said.

Cavoukian said she used a pseudonym for her Facebook account to avoid getting flooded with friend requests. The pseudonym was disclosed to Facebook, the four privacy commissioners and a couple family members. "Even under those conditions ... I couldn't keep up with all the messages," she said.

During the question-and-answer period, one Mesh attendee suggested those with Facebook accounts visit Reclaimprivacy.org. The site provides a plug-in that will run an automatic audit on a user's Facebook privacy settings and reveal where the holes are, he said.